CISA has added CVE‑2026‑20245 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Cisco’s Catalyst SD‑WAN Manager (formerly SD‑WAN vManage) and involves an improper encoding or escaping of output that could let an authenticated, local attacker run arbitrary commands as root.
The vulnerability is an output‑encoding issue in the Catalyst SD‑WAN Manager web interface. By uploading a specially crafted file, an attacker who already has local authentication can achieve privilege escalation to root. The CVSS base score is 7.8, rated HIGH, reflecting the potential impact on confidentiality, integrity and availability. No patch information is currently available in the NVD entry.
Because the vulnerability is listed in the KEV catalogue, active exploitation has been confirmed in the wild. CISA has not linked this flaw to any known ransomware campaign. Federal civilian executive branch (FCEB) agencies must apply mitigations by the remediation due date of 2026‑06‑23.
CISA’s required action is: “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While this directive binds FCEB agencies, all organisations should review their exposure to Catalyst SD‑WAN Manager and implement the advised mitigations or consider discontinuing use if no fix exists.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20245 and the CISA KEV catalogue.